| Message ID | 20180516233046.10217-1-ross.burton@intel.com |
|---|---|
| State | New |
| Headers | show |
| Series | [rocko] libnl: protect against buffer overflow (CVE-2017-0553) | expand |
On Wed, May 16, 2018 at 4:30 PM, Ross Burton <ross.burton@intel.com> wrote: Looks like a duplicate of: http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150743.html ? > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++ > meta/recipes-support/libnl/libnl_3.2.29.bb | 1 + > 2 files changed, 40 insertions(+) > create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch > > diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch > new file mode 100644 > index 00000000000..777fac3ea1a > --- /dev/null > +++ b/meta/recipes-support/libnl/libnl/overflow.patch > @@ -0,0 +1,39 @@ > +CVE: CVE-2017-0553 > +Upstream-Status: Backport > +Signed-off-by: Ross Burton <ross.burton@intel.com> > + > +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 > +From: Thomas Haller <thaller@redhat.com> > +Date: Mon, 6 Feb 2017 22:23:52 +0100 > +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() > + > +In general, libnl functions are not robust against calling with > +invalid arguments. Thus, never call libnl functions with invalid > +arguments. In case of nlmsg_reserve() this means never provide > +a @len argument that causes overflow. > + > +Still, add an additional safeguard to avoid exploiting such bugs. > + > +Assume that @pad is a trusted, small integer. > +Assume that n->nm_size is a valid number of allocated bytes (and thus > +much smaller then SIZE_T_MAX). > +Assume, that @len may be set to an untrusted value. Then the patch > +avoids an integer overflow resulting in reserving too few bytes. > +--- > + lib/msg.c | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/lib/msg.c b/lib/msg.c > +index 9af3f3a0..3e27d4e0 100644 > +--- a/lib/msg.c > ++++ b/lib/msg.c > +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) > + size_t nlmsg_len = n->nm_nlh->nlmsg_len; > + size_t tlen; > + > ++ if (len > n->nm_size) > ++ return NULL; > ++ > + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; > + > + if ((tlen + nlmsg_len) > n->nm_size) > \ No newline at end of file > diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb > index 7d4839ba506..746fd3d4153 100644 > --- a/meta/recipes-support/libnl/libnl_3.2.29.bb > +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb > @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native" > SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \ > file://fix-pktloc_syntax_h-race.patch \ > file://fix-pc-file.patch \ > + file://overflow.patch \ > " > UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases" > > -- > 2.11.0 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Certainly does, sorry about that! Ross On 17 May 2018 at 01:44, Andre McCurdy <armccurdy@gmail.com> wrote: > On Wed, May 16, 2018 at 4:30 PM, Ross Burton <ross.burton@intel.com> wrote: > > Looks like a duplicate of: > > http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150743.html > > ? > >> Signed-off-by: Ross Burton <ross.burton@intel.com> >> --- >> meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++ >> meta/recipes-support/libnl/libnl_3.2.29.bb | 1 + >> 2 files changed, 40 insertions(+) >> create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch >> >> diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch >> new file mode 100644 >> index 00000000000..777fac3ea1a >> --- /dev/null >> +++ b/meta/recipes-support/libnl/libnl/overflow.patch >> @@ -0,0 +1,39 @@ >> +CVE: CVE-2017-0553 >> +Upstream-Status: Backport >> +Signed-off-by: Ross Burton <ross.burton@intel.com> >> + >> +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 >> +From: Thomas Haller <thaller@redhat.com> >> +Date: Mon, 6 Feb 2017 22:23:52 +0100 >> +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() >> + >> +In general, libnl functions are not robust against calling with >> +invalid arguments. Thus, never call libnl functions with invalid >> +arguments. In case of nlmsg_reserve() this means never provide >> +a @len argument that causes overflow. >> + >> +Still, add an additional safeguard to avoid exploiting such bugs. >> + >> +Assume that @pad is a trusted, small integer. >> +Assume that n->nm_size is a valid number of allocated bytes (and thus >> +much smaller then SIZE_T_MAX). >> +Assume, that @len may be set to an untrusted value. Then the patch >> +avoids an integer overflow resulting in reserving too few bytes. >> +--- >> + lib/msg.c | 3 +++ >> + 1 file changed, 3 insertions(+) >> + >> +diff --git a/lib/msg.c b/lib/msg.c >> +index 9af3f3a0..3e27d4e0 100644 >> +--- a/lib/msg.c >> ++++ b/lib/msg.c >> +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) >> + size_t nlmsg_len = n->nm_nlh->nlmsg_len; >> + size_t tlen; >> + >> ++ if (len > n->nm_size) >> ++ return NULL; >> ++ >> + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; >> + >> + if ((tlen + nlmsg_len) > n->nm_size) >> \ No newline at end of file >> diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb >> index 7d4839ba506..746fd3d4153 100644 >> --- a/meta/recipes-support/libnl/libnl_3.2.29.bb >> +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb >> @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native" >> SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \ >> file://fix-pktloc_syntax_h-race.patch \ >> file://fix-pc-file.patch \ >> + file://overflow.patch \ >> " >> UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases" >> >> -- >> 2.11.0 >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/recipes-support/libnl/libnl/overflow.patch b/meta/recipes-support/libnl/libnl/overflow.patch new file mode 100644 index 00000000000..777fac3ea1a --- /dev/null +++ b/meta/recipes-support/libnl/libnl/overflow.patch @@ -0,0 +1,39 @@ +CVE: CVE-2017-0553 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@intel.com> + +From 3e18948f17148e6a3c4255bdeaaf01ef6081ceeb Mon Sep 17 00:00:00 2001 +From: Thomas Haller <thaller@redhat.com> +Date: Mon, 6 Feb 2017 22:23:52 +0100 +Subject: [PATCH] lib: check for integer-overflow in nlmsg_reserve() + +In general, libnl functions are not robust against calling with +invalid arguments. Thus, never call libnl functions with invalid +arguments. In case of nlmsg_reserve() this means never provide +a @len argument that causes overflow. + +Still, add an additional safeguard to avoid exploiting such bugs. + +Assume that @pad is a trusted, small integer. +Assume that n->nm_size is a valid number of allocated bytes (and thus +much smaller then SIZE_T_MAX). +Assume, that @len may be set to an untrusted value. Then the patch +avoids an integer overflow resulting in reserving too few bytes. +--- + lib/msg.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/msg.c b/lib/msg.c +index 9af3f3a0..3e27d4e0 100644 +--- a/lib/msg.c ++++ b/lib/msg.c +@@ -411,6 +411,9 @@ void *nlmsg_reserve(struct nl_msg *n, size_t len, int pad) + size_t nlmsg_len = n->nm_nlh->nlmsg_len; + size_t tlen; + ++ if (len > n->nm_size) ++ return NULL; ++ + tlen = pad ? ((len + (pad - 1)) & ~(pad - 1)) : len; + + if ((tlen + nlmsg_len) > n->nm_size) \ No newline at end of file diff --git a/meta/recipes-support/libnl/libnl_3.2.29.bb b/meta/recipes-support/libnl/libnl_3.2.29.bb index 7d4839ba506..746fd3d4153 100644 --- a/meta/recipes-support/libnl/libnl_3.2.29.bb +++ b/meta/recipes-support/libnl/libnl_3.2.29.bb @@ -12,6 +12,7 @@ DEPENDS = "flex-native bison-native" SRC_URI = "https://github.com/thom311/${BPN}/releases/download/${BPN}${@d.getVar('PV').replace('.','_')}/${BP}.tar.gz \ file://fix-pktloc_syntax_h-race.patch \ file://fix-pc-file.patch \ + file://overflow.patch \ " UPSTREAM_CHECK_URI = "https://github.com/thom311/${BPN}/releases"
Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta/recipes-support/libnl/libnl/overflow.patch | 39 +++++++++++++++++++++++++ meta/recipes-support/libnl/libnl_3.2.29.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-support/libnl/libnl/overflow.patch -- 2.11.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core